GCHQ mulls sharing DNS filters with UK telcos to tackle cyber attacks

GCHQ's cyber boss went to Washington
on Tuesday armed with a long wishlist for the UK's eavesdropping nerve
centre: chief among them was to scale up DNS filtering to block "known
malware and bad addresses."

The desire for a Great British Firewall—as
it's already been dubbed—is hardly surprising, however. The UK's largest
ISPs already routinely use DNS filtering technology to censor chunks of
the Web, such as porn sites, on behalf of their customers. The filters
were introduced over the course of the past five years, following
pressure from then-prime minister David Cameron.

It would seem that Ciaran Martin, who will
soon head up the UK's new National Cyber Security Centre (NCSC) and is
currently the director-general cyber chief at GCHQ, isn't pursuing the
use of DNS filtering in concert with telcos to similarly censor content,
however.

He said during his Stateside speech at the Billington Cyber Security Summit:

We're exploring a flagship project on scaling
up DNS filtering: what better way of providing automated defences at
scale than by the major private providers effectively blocking their
customers from coming into contact with known malware and bad addresses?

Now it's crucial that all of these
economy-wide initiatives are private sector led. The government does not
own or operate the Internet. Consumers must have a choice. Any DNS
filtering would have to be opt out based. So addressing privacy concerns
and citizen choice is hardwired into our programme.

Martin added: "These initiatives complement
what we’ve long been doing in cyber security. In the UK, we have our
Secure by Default initiative, developing secure hardware, software and
digital services, including the proper role of strong encryption. And
we'll continue to work with our private sector partners to find and fix
vulnerabilities; so far this year we’ve been credited publicly with
identifying 20 major vulnerabilities, by Apple and other major
providers."

The Internet Service Providers' Association—a
lobby group that represents the likes of Sky, BT, Virgin Media, and many
smaller ISPs—declined to comment on GCHQ's filtering plans. But it's
been reported that GCHQ is seeking voluntary deals with ISPs to block cyber attacks.

"The NCSC is a welcome development in the
fight against cybercrime and its formation is timely as our members feel
government and law enforcement need to do more to tackle cyber
criminals," it told Ars.

"As revealed in our survey published last
week, ISPs want a more collaborative approach with law enforcement and
we look forward to seeing how this will happen with the NCSC. In our
survey 93 percent of ISPA members said cyber security was a top business
priority and 79 percent plan to spend more on cyber security in the
coming years.“

The NCSC is expected to open in London next
month and Martin said he was looking at other possibilities for the
centre beyond DNS filtering.

He said that the UK's "critical systems are
going increasingly digital," and, by way of example, cited smart meters
and the government's heavily flawed and delayed universal credit scheme.
Martin added that GCHQ had "detected twice as many national security
level cyber incidents—200 per month" in 2015 compared with the previous
year.